Tokenization is not enough: Ensuring secure mobile payments using dynamic issuance with on-device security and management
HCE cloud-based mobile payments have opened a new chapter in the industry’s thinking around security of card data on-device and the risk management associated with it. The lack of secure element hardware storage on-device creates the need for strong software based solutions to mitigate the risk of storing sensitive card data on phone memory. Tokenization has emerged as one of the most important solutions for enabling secure cloud-based payments. By replacing something of high value, the secure Personal Account Number (PAN), with something of lower value, the limited-time use card data or “token,” tokenization protects the original PAN number from misuse.
But is Tokenization alone enough?
Traditionally, tokenization means one-time use data. If one-time use card data is provisioned to the phone then the security risk of the data in open is restricted to that transaction only. However, as per EMVCo specification on tokenization, the definition of token is alternate PAN, which is not the same as one-time use data. Consequently, tokenization specifications being implemented in commercial services today provision tokens to phones with extended active life spans – opening the window for potential fraud. Hence the role of tokenization in cloud-based payment security for proximity payment has lesser importance than it is often given. The main security it provides is that a hacker cannot use the stolen card data online or other channels.
Furthermore, having cryptographic keys and functions in the phone database leaves critical payment data vulnerable to attacks.
It can be inferred, there is more to cloud-payment deployments than tokenization!
Two aspects become critical for consideration in thinking about cloud payment deployment based on HCE and tokenization. They are dynamic issuance and on-device security and management.
Service providers are generally familiar with the aspects of card issuance and personalization. Card issuance and personalization for SE-based and HCE-based issuance have much in common. The key difference being that the former is static while the latter is dynamic in nature. Dynamic issuance requires dynamic management of the card and account data in addition to tokenization.
The dynamic management of mobile issuance coupled with on-device management is what ensures the security of tokens sent to mobile devices.
On-device management is the ability to dynamically monitor various threshold parameters that govern the policy of making a transaction and performing account replenishment. For example, a bank may decide to replenish account parameters if the device is used to transact at a location that is 250 miles away from where the account data was initially issued. In this case, the digital issuance system is resetting the threshold parameters and replenishing the limited-use key. This is an example of how location data can be used to dynamically manage account parameters for cloud payment deployments.
On-device security is the implementation of software-based secure element to protect card data and cryptographic keys and functions. In addition, application integrity must be maintained to resist modification of the application by hackers. Various techniques must be employed to protect application integrity including white-box cryptography.
Sequent is in the forefront of the HCE cloud-based revolution enabling some of the biggest banks and card personalization bureaus with the ability to deliver secure cloud-based payments to millions of consumers. In our new white paper “Tokenization is not enough: Ensuring secure mobile payments using dynamic issuance with on-device security and management”, we explore the issues raised by current implementations and the solutions proposed to mitigate fraud and minimize risk.
Learn more about how Sequent leverages on-device software, tokenization, dynamic issuance and management to secure cloud-based mobile payments in our new white paper: